- dtucker@cvs.openbsd.org 2013/05/16 04:09:14

[sshd_config.5 servconf.c servconf.h packet.c serverloop.c monitor.c sshd_config sshd.c] Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
author: Darren Tucker <dtucker@zip.com.au> 2013-05-16 20:29:28 +1000
committer: Darren Tucker <dtucker@zip.com.au> 2013-05-16 20:29:28 +1000
commit: 5f96f3b4bee11ae2b9b32ff9b881c3693e210f96 (patch)
tree: 1e1c647e73e447b06b194b38b5d39e95aec8bef9 /sshd_config.5
parent: c53c2af173cf67fd1c26f98e7900299b1b65b6ec (diff)
1 files changed, 30 insertions, 2 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index 590fb4088..9e0b3a5c0 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.158 2013/04/19 01:00:10 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.159 2013/05/16 04:09:14 dtucker Exp $
-.Dd $Mdocdate: April 19 2013 $
+.Dd $Mdocdate: May 16 2013 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -814,6 +814,7 @@ Available keywords are
 .Cm PermitRootLogin ,
 .Cm PermitTunnel ,
 .Cm PubkeyAuthentication ,
+.Cm RekeyLimit ,
 .Cm RhostsRSAAuthentication ,
 .Cm RSAAuthentication ,
 .Cm X11DisplayOffset ,
@@ -1008,6 +1009,33 @@ Specifies whether public key authentication is allowed.
 The default is
 .Dq yes .
 Note that this option applies to protocol version 2 only.
+.It Cm RekeyLimit
+Specifies the maximum amount of data that may be transmitted before the
+session key is renegotiated, optionally followed a maximum amount of
+time that may pass before the session key is renegotiated.
+The first argument is specified in bytes and may have a suffix of
+.Sq K ,
+.Sq M ,
+or
+.Sq G
+to indicate Kilobytes, Megabytes, or Gigabytes, respectively.
+The default is between
+.Sq 1G
+and
+.Sq 4G ,
+depending on the cipher.
+The optional second value is specified in seconds and may use any of the
+units documented in the
+.Sx TIME FORMATS
+section of
+.Xr sshd_config 5 .
+The default value for
+.Cm RekeyLimit
+is
+.Dq default none ,
+which means that rekeying is performed after the cipher's default amount
+of data has been sent or received and no time based rekeying is done.
+This option applies to protocol version 2 only.
 .It Cm RevokedKeys
 Specifies revoked public keys.
 Keys listed in this file will be refused for public key authentication.
author	Darren Tucker <dtucker@zip.com.au>	2013-05-16 20:29:28 +1000
committer	Darren Tucker <dtucker@zip.com.au>	2013-05-16 20:29:28 +1000
commit	5f96f3b4bee11ae2b9b32ff9b881c3693e210f96 (patch)
tree	1e1c647e73e447b06b194b38b5d39e95aec8bef9 /sshd_config.5
parent	c53c2af173cf67fd1c26f98e7900299b1b65b6ec (diff)

diff --git a/sshd_config.5 b/sshd_config.5 index 590fb4088..9e0b3a5c0 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd_config.5,v 1.158 2013/04/19 01:00:10 djm Exp $	36	.\" $OpenBSD: sshd_config.5,v 1.159 2013/05/16 04:09:14 dtucker Exp $
37	.Dd $Mdocdate: April 19 2013 $	37	.Dd $Mdocdate: May 16 2013 $
38	.Dt SSHD_CONFIG 5	38	.Dt SSHD_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -814,6 +814,7 @@ Available keywords are
814	.Cm PermitRootLogin ,	814	.Cm PermitRootLogin ,
815	.Cm PermitTunnel ,	815	.Cm PermitTunnel ,
816	.Cm PubkeyAuthentication ,	816	.Cm PubkeyAuthentication ,
		817	.Cm RekeyLimit ,
817	.Cm RhostsRSAAuthentication ,	818	.Cm RhostsRSAAuthentication ,
818	.Cm RSAAuthentication ,	819	.Cm RSAAuthentication ,
819	.Cm X11DisplayOffset ,	820	.Cm X11DisplayOffset ,
@@ -1008,6 +1009,33 @@ Specifies whether public key authentication is allowed.
1008	The default is	1009	The default is
1009	.Dq yes .	1010	.Dq yes .
1010	Note that this option applies to protocol version 2 only.	1011	Note that this option applies to protocol version 2 only.
		1012	.It Cm RekeyLimit
		1013	Specifies the maximum amount of data that may be transmitted before the
		1014	session key is renegotiated, optionally followed a maximum amount of
		1015	time that may pass before the session key is renegotiated.
		1016	The first argument is specified in bytes and may have a suffix of
		1017	.Sq K ,
		1018	.Sq M ,
		1019	or
		1020	.Sq G
		1021	to indicate Kilobytes, Megabytes, or Gigabytes, respectively.
		1022	The default is between
		1023	.Sq 1G
		1024	and
		1025	.Sq 4G ,
		1026	depending on the cipher.
		1027	The optional second value is specified in seconds and may use any of the
		1028	units documented in the
		1029	.Sx TIME FORMATS
		1030	section of
		1031	.Xr sshd_config 5 .
		1032	The default value for
		1033	.Cm RekeyLimit
		1034	is
		1035	.Dq default none ,
		1036	which means that rekeying is performed after the cipher's default amount
		1037	of data has been sent or received and no time based rekeying is done.
		1038	This option applies to protocol version 2 only.
1011	.It Cm RevokedKeys	1039	.It Cm RevokedKeys
1012	Specifies revoked public keys.	1040	Specifies revoked public keys.
1013	Keys listed in this file will be refused for public key authentication.	1041	Keys listed in this file will be refused for public key authentication.